Out-of-Band TAPs Are an NSA Nightmare

Remember that line from Alan Turing in the movie TheImitation Game? The moment he realized the significance of C-I-L-L-Y?

The Germans thought that with Enigma, they had the answer to securing their communications. Maybe they did, well, until they didn’t. If only they’d been better at monitoring their own, what they thought to be, thoroughly secure network, they might have caught the unwitting insider who accidentally exposed them with something as simple as a daily weather report. Little things can mean a lot, especially when you figure in the convenience factor.

During the recent and inaugural Usenix Enigma security conference, NSA Chief Hacker Rob Joyce gave a much-anticipated talk during which he revealed how some seemingly little things might actually help keep him and his hacker associates out of our systems.

Hackers Are Humans, Too

They don’t call them Advanced Persistent Threats (APTs) for nothing. As Joyce said, persistence and patience is the name of the game. Turing was persistent. And so, too, are today’s hackers. In fact, they’re hyper-persistent, hyper-patient, and hyper-smart.

But . . . they’re also human. And humans like to take the easy way out. Or, in this case, in.

It’s a bit like if I were a burglar. Whilst out casing some affluent neighborhood for my next big heist, let’s say I find three attractive home targets. The first has a fence. The second, a fence and an alarm system. The third, a fence, an alarm system, a pair of Zeus and Apollo lookalikes, and flood lights. As much as I like dogs, we all have our deterrents—and, frankly, the only lighting I like these days comes from candles.

The idea is to make yourself a less attractive target.

No doubt, Joyce and team are quite capable of advanced zero-day attacks. But that’s not where they’ll start. They don’t have to. Other, easier pickings and targets abound, including: sysadmins (whose credentials are king for gaining system access); hardcoded passwords in software or those submitted via old protocols (useful for lateral network movement); or HVAC and other features of building infrastructure.

Joyce also pointed out how easy it is to hack network systems that have gone unpatched for known vulnerabilities or been otherwise inadvertently infected. As an example of the latter, he specifically called out employees who’ll bring and connect devices to the office that they’ve let their kids load up with Steam games. Do you know what those are? To start, a security threat.

A couple months ago, it was revealed that Steam, a gaming platform, had developed a huge security problem. Due to some caching issue, users who logged in to view their account details were also able to see the personal details—including credit card information and mailing addresses—of other users. Not good.

NSA Best Practices to Get in Tip TAP Security Shape

To make life harder for hackers, Joyce had some advice. He suggested limiting access privileges to important systems; segmenting networks and important data to make it more difficult to reach critical assets; patching systems and implementing application whitelisting; and removing hardcoded passwords and legacy protocols that transmit passwords in the clear.

Even more interesting, though, was what he had to say about network TAPs. For the NSA, one of the hardest things to hack against is a network with out-of-band TAPs—which enable the continuous monitoring of network activity by sending copies of packets to security inspection and analytics devices. Joyce labeled them a nightmare—especially when combined with fastidious system administrators who actually read and pay attention to those logs.

What he didn’t mention, but maybe could have, was the full potential of a network replete with network TAPs: creating a visibility fabric. Think of it as a pervasive layer that spans all reaches of the network and, ultimately, gives security tools their best chance at spotting anomalies in the network. Leveraging network TAPs, which are primarily used to send copies of traffic to out-of-band security tools, the visibility fabric can also connect inline security devices like firewalls and IPSes. For these, the visibility fabric adds bypass capabilities and the ability to load balance traffic in case of tool failure.

With a visibility fabric, maybe those sysadmins wouldn’t need to be quite so fastidious because false positives are reduced when the right traffic makes it to the right tools. To think this discussion all started with the humble TAPs. And now, we can see that one person’s nightmare could be a security admin’s dream come true.

Johnnie Konstantas heads Gigamon’s security solutions marketing and business development. With 20+ years in telecommunications, as well as data and cybersecurity, she has done a little bit of everything spanning engineering, product management and marketing for large firms and fledglings. Most recently, she was the VP of Marketing at Dato, a company pioneering large-scale machine learning. She was also VP Marketing at Altor Networks (acquired by Juniper), an early leader in virtualization security and at Varonis Systems. Past roles have included product management and marketing for Check Point, Neoteris, NetScreen and RedSeal Systems. Johnnie started her career at Motorola, designing and implementing large-scale cellular infrastructure. She holds a B.S. in Electrical Engineering from the University of Maryland.